Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix secret request issue in context log #2

Merged
merged 1 commit into from
Jun 29, 2020
Merged

fix secret request issue in context log #2

merged 1 commit into from
Jun 29, 2020

Conversation

hirokuni-kitahara
Copy link
Member

No description provided.

@hirokuni-kitahara hirokuni-kitahara self-assigned this Jun 29, 2020
@yuji-watanabe-jp yuji-watanabe-jp merged commit fe64129 into develop Jun 29, 2020
@yuji-watanabe-jp yuji-watanabe-jp deleted the fix/requestdump branch June 29, 2020 06:22
yuji-watanabe-jp added a commit that referenced this pull request Sep 7, 2021
@rurikudo @stevemar
@yuji-watanabe-jp @imgbot @ImgBotApp
Preparing to move to new integrity shield (#344)
d295ad0 
* Initial commit

* init commit

* add request handler logic

* update go.mod

* put all func

* added request handler and main functions (#2)

* add remote request handler

* remove unused file

* remove tls.crt from secret.yaml

* change to use new constraints

* remove unused func

* remove unused values

* remove unused values

* rename parameter and package

* update request handler

* add ishield config

* add error handling

* fix mutation check

* refactor main.go/struct

* add allow/inScopeNamespace check

* add config

* fix to use ENV parameter

* fix inScopeNamespace and config name

* change the way of loading shield/reqhandler config

* support apiGroup match

* support label/namespaceSelector match

* change config name

Signed-off-by: ruriko <[email protected]>

* enable opa/gatekeeper admission controller  (#4) (#5)

* enable to use opa/gatekeeper

Signed-off-by: ruriko <[email protected]>

* include shield config in rego policy

Signed-off-by: ruriko <[email protected]>

* update rego policy

Signed-off-by: ruriko <[email protected]>

* update default setting in rego policy

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Ruriko Kudo <[email protected]>

* reorganized code (#6)

* reorganized code

Signed-off-by: ruriko <[email protected]>

* rename module name

* change config name

Signed-off-by: ruriko <[email protected]>

* update README.md

Signed-off-by: ruriko <[email protected]>

* change config name in admission controller

Signed-off-by: ruriko <[email protected]>

* Update Readme (#7)

* update README.md

Signed-off-by: ruriko <[email protected]>

* add an image

Signed-off-by: ruriko <[email protected]>

* fix README.md

Signed-off-by: ruriko <[email protected]>

* fix typo

Signed-off-by: ruriko <[email protected]>

* Update README.md

* Update README.md

* update README and fix config name

Signed-off-by: ruriko <[email protected]>

* update README

Signed-off-by: ruriko <[email protected]>

* update README

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Yuji Watanabe <[email protected]>

* [ImgBot] Optimize images (#8)

/docs/ishield-scenario.png -- 146.35kb -> 104.24kb (28.77%)

Signed-off-by: ImgBotApp <[email protected]>

Co-authored-by: ImgBotApp <[email protected]>

* use latest k8s-manifest-sigstore (#9)

* update to use latest k8s-manifest-sigstore

Signed-off-by: ruriko <[email protected]>

* fix parameters

Signed-off-by: ruriko <[email protected]>

* fix to handle nil request handler config

Signed-off-by: ruriko <[email protected]>

* enable log/mode settings (#10)

* support log config

Signed-off-by: ruriko <[email protected]>

* support detect mode

Signed-off-by: ruriko <[email protected]>

* update rego policy to support detect mode

Signed-off-by: ruriko <[email protected]>

* change to use same log format with k8s-manifest-sigstore

* fix log level in deployment

Signed-off-by: ruriko <[email protected]>

* add K8S_MANIFEST_SIGSTORE_LOG_LEVEL

Signed-off-by: ruriko <[email protected]>

* fix K8S_MANIFEST_SIGSTORE_LOG_LEVEL

Signed-off-by: ruriko <[email protected]>

* fix conflict

Signed-off-by: ruriko <[email protected]>

* enable event/status update (#11)

* enable mip status update

Signed-off-by: ruriko <[email protected]>

* fix mip status update

Signed-off-by: ruriko <[email protected]>

* enable deny event

Signed-off-by: ruriko <[email protected]>

* change violations limit

Signed-off-by: ruriko <[email protected]>

* update rego policy (#12)

Signed-off-by: ruriko <[email protected]>

* Support operator and observer (#13)

* add initial code generated by operator-sdk

Signed-off-by: ruriko <[email protected]>

* add operator

Signed-off-by: ruriko <[email protected]>

* add observer

Signed-off-by: ruriko <[email protected]>

* fix public key loading

Signed-off-by: ruriko <[email protected]>

* update operator to deploy observer

Signed-off-by: ruriko <[email protected]>

* add utility scripts

* fix observer bug

Signed-off-by: ruriko <[email protected]>

* add flag for installing observer

Signed-off-by: ruriko <[email protected]>

* fix observer log and enable to show provenance log

Signed-off-by: ruriko <[email protected]>

* add operator bundle

* update version of k8s-manifest-sigstore

* fix log scripts

Signed-off-by: ruriko <[email protected]>

* fix to delete cluster scope

Signed-off-by: ruriko <[email protected]>

* fix operator to check constraint template crd is available

* update k8s-manifest-sigstore version and update server to generate deny events

Signed-off-by: ruriko <[email protected]>

* fix event and constraint template

Signed-off-by: ruriko <[email protected]>

* fix constraint template

Signed-off-by: ruriko <[email protected]>

* refine server role

Signed-off-by: ruriko <[email protected]>

* fix error handling

Signed-off-by: ruriko <[email protected]>

* update k8s-manifest-sigstore version

Signed-off-by: ruriko <[email protected]>

* enable to verify pgp/x509 signature

Signed-off-by: ruriko <[email protected]>

* update observer to export results to verifyresourcestatus

Signed-off-by: ruriko <[email protected]>

* update go.mod

Signed-off-by: ruriko <[email protected]>

* update go.mod

Signed-off-by: ruriko <[email protected]>

* handle nil observer config

Signed-off-by: ruriko <[email protected]>

* fix lint error

Signed-off-by: ruriko <[email protected]>

* rename inspector to observer and fix observer config

Signed-off-by: ruriko <[email protected]>

* enable constraint config to control enforce/inform mode per constraint (#14)

* fix typo

Signed-off-by: ruriko <[email protected]>

* update to enforce/observe according to constraint config

Signed-off-by: ruriko <[email protected]>

* enable image verification

Signed-off-by: ruriko <[email protected]>

* rename ishield-server to shield and change dir structure

Signed-off-by: ruriko <[email protected]>

* rename dir

Signed-off-by: ruriko <[email protected]>

* organize dir/files

Signed-off-by: ruriko <[email protected]>

* organize dir/files

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Steve Martinelli <[email protected]>
Co-authored-by: Yuji Watanabe <[email protected]>
Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com>
Co-authored-by: ImgBotApp <[email protected]>
rurikudo added a commit that referenced this pull request Oct 1, 2021
@rurikudo @tphee
@yuji-watanabe-jp @hirokuni-kitahara @gparvin @willkutler @stevemar @imgbot @ImgBotApp @openshift-merge-robot
upgrade to new design (#361)
73c46f4 
* Create SECURITY.md

* Create SECURITY.md

* Replace go package path

* Create SECURITY.md

* temporary commit for sonar test

* temporary commit for sonar test 2

* Revert "temporary commit for sonar test 2"

This reverts commit 7680fdb.

* Revert "temporary commit for sonar test"

This reverts commit ee9df19.

* Update README_SETUP_KEY_RING_ACM_ENV.md

I am proposing a short section just to clarify that the remove then setup procedure will work as a way to move to a new signing key.

* Fixed the docment to update how to update a verification key

* Squashed commit of the following:

commit 121e937
Author: hirokuni-kitahara <[email protected]>
Date:   Wed Jan 20 22:29:17 2021 +0900

    fix patch functions and add troubleshooting doc (#259)

    * fix patch functions and add troubleshooting doc

    * fix scripts and some parts in doc

commit 0ef8683
Author: Yuji Watanabe <[email protected]>
Date:   Wed Jan 20 22:18:16 2021 +0900

    change from K8s to k8s (#260)

    * change from K8s to k8s

    * fix tested cluster version

* Update signing script to remove syntax issue

The script had to be edited so it would run.  I made these changes.

* Squashed commit of the following:

commit 02c7d25
Author: Kugamoorthy Gajananan <[email protected]>
Date:   Thu Jan 21 15:39:59 2021 +0900

    Added make target and script to update version in nessary files after building bundle based on new version (#261)

commit 6546dc1
Author: hirokuni-kitahara <[email protected]>
Date:   Thu Jan 21 15:37:29 2021 +0900

    fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (#262)

    * update role & cert duration and fix e2e test issue

    * add event type annotation and fix e2e test

commit 121e937
Author: hirokuni-kitahara <[email protected]>
Date:   Wed Jan 20 22:29:17 2021 +0900

    fix patch functions and add troubleshooting doc (#259)

    * fix patch functions and add troubleshooting doc

    * fix scripts and some parts in doc

commit 0ef8683
Author: Yuji Watanabe <[email protected]>
Date:   Wed Jan 20 22:18:16 2021 +0900

    change from K8s to k8s (#260)

    * change from K8s to k8s

    * fix tested cluster version

* Squashed commit of the following:

commit a93ca3b
Author: hirokuni-kitahara <[email protected]>
Date:   Thu Jan 21 19:37:51 2021 +0900

    fix e2e test delete error & fix op unit test timeout error (#263)

commit 02c7d25
Author: Kugamoorthy Gajananan <[email protected]>
Date:   Thu Jan 21 15:39:59 2021 +0900

    Added make target and script to update version in nessary files after building bundle based on new version (#261)

commit 6546dc1
Author: hirokuni-kitahara <[email protected]>
Date:   Thu Jan 21 15:37:29 2021 +0900

    fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (#262)

    * update role & cert duration and fix e2e test issue

    * add event type annotation and fix e2e test

commit 121e937
Author: hirokuni-kitahara <[email protected]>
Date:   Wed Jan 20 22:29:17 2021 +0900

    fix patch functions and add troubleshooting doc (#259)

    * fix patch functions and add troubleshooting doc

    * fix scripts and some parts in doc

commit 0ef8683
Author: Yuji Watanabe <[email protected]>
Date:   Wed Jan 20 22:18:16 2021 +0900

    change from K8s to k8s (#260)

    * change from K8s to k8s

    * fix tested cluster version

* resolve conflict

* add comment in readme to trigger rebuild for img vulns

Signed-off-by: Will Kutler <[email protected]>

* removed unnecessary dir/file

Signed-off-by: ruriko <[email protected]>

* removed unnecessary dir/file

Signed-off-by: ruriko <[email protected]>

* Preparing to move to new integrity shield (#344)

* Initial commit

* init commit

* add request handler logic

* update go.mod

* put all func

* added request handler and main functions (#2)

* add remote request handler

* remove unused file

* remove tls.crt from secret.yaml

* change to use new constraints

* remove unused func

* remove unused values

* remove unused values

* rename parameter and package

* update request handler

* add ishield config

* add error handling

* fix mutation check

* refactor main.go/struct

* add allow/inScopeNamespace check

* add config

* fix to use ENV parameter

* fix inScopeNamespace and config name

* change the way of loading shield/reqhandler config

* support apiGroup match

* support label/namespaceSelector match

* change config name

Signed-off-by: ruriko <[email protected]>

* enable opa/gatekeeper admission controller  (#4) (#5)

* enable to use opa/gatekeeper

Signed-off-by: ruriko <[email protected]>

* include shield config in rego policy

Signed-off-by: ruriko <[email protected]>

* update rego policy

Signed-off-by: ruriko <[email protected]>

* update default setting in rego policy

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Ruriko Kudo <[email protected]>

* reorganized code (#6)

* reorganized code

Signed-off-by: ruriko <[email protected]>

* rename module name

* change config name

Signed-off-by: ruriko <[email protected]>

* update README.md

Signed-off-by: ruriko <[email protected]>

* change config name in admission controller

Signed-off-by: ruriko <[email protected]>

* Update Readme (#7)

* update README.md

Signed-off-by: ruriko <[email protected]>

* add an image

Signed-off-by: ruriko <[email protected]>

* fix README.md

Signed-off-by: ruriko <[email protected]>

* fix typo

Signed-off-by: ruriko <[email protected]>

* Update README.md

* Update README.md

* update README and fix config name

Signed-off-by: ruriko <[email protected]>

* update README

Signed-off-by: ruriko <[email protected]>

* update README

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Yuji Watanabe <[email protected]>

* [ImgBot] Optimize images (#8)

/docs/ishield-scenario.png -- 146.35kb -> 104.24kb (28.77%)

Signed-off-by: ImgBotApp <[email protected]>

Co-authored-by: ImgBotApp <[email protected]>

* use latest k8s-manifest-sigstore (#9)

* update to use latest k8s-manifest-sigstore

Signed-off-by: ruriko <[email protected]>

* fix parameters

Signed-off-by: ruriko <[email protected]>

* fix to handle nil request handler config

Signed-off-by: ruriko <[email protected]>

* enable log/mode settings (#10)

* support log config

Signed-off-by: ruriko <[email protected]>

* support detect mode

Signed-off-by: ruriko <[email protected]>

* update rego policy to support detect mode

Signed-off-by: ruriko <[email protected]>

* change to use same log format with k8s-manifest-sigstore

* fix log level in deployment

Signed-off-by: ruriko <[email protected]>

* add K8S_MANIFEST_SIGSTORE_LOG_LEVEL

Signed-off-by: ruriko <[email protected]>

* fix K8S_MANIFEST_SIGSTORE_LOG_LEVEL

Signed-off-by: ruriko <[email protected]>

* fix conflict

Signed-off-by: ruriko <[email protected]>

* enable event/status update (#11)

* enable mip status update

Signed-off-by: ruriko <[email protected]>

* fix mip status update

Signed-off-by: ruriko <[email protected]>

* enable deny event

Signed-off-by: ruriko <[email protected]>

* change violations limit

Signed-off-by: ruriko <[email protected]>

* update rego policy (#12)

Signed-off-by: ruriko <[email protected]>

* Support operator and observer (#13)

* add initial code generated by operator-sdk

Signed-off-by: ruriko <[email protected]>

* add operator

Signed-off-by: ruriko <[email protected]>

* add observer

Signed-off-by: ruriko <[email protected]>

* fix public key loading

Signed-off-by: ruriko <[email protected]>

* update operator to deploy observer

Signed-off-by: ruriko <[email protected]>

* add utility scripts

* fix observer bug

Signed-off-by: ruriko <[email protected]>

* add flag for installing observer

Signed-off-by: ruriko <[email protected]>

* fix observer log and enable to show provenance log

Signed-off-by: ruriko <[email protected]>

* add operator bundle

* update version of k8s-manifest-sigstore

* fix log scripts

Signed-off-by: ruriko <[email protected]>

* fix to delete cluster scope

Signed-off-by: ruriko <[email protected]>

* fix operator to check constraint template crd is available

* update k8s-manifest-sigstore version and update server to generate deny events

Signed-off-by: ruriko <[email protected]>

* fix event and constraint template

Signed-off-by: ruriko <[email protected]>

* fix constraint template

Signed-off-by: ruriko <[email protected]>

* refine server role

Signed-off-by: ruriko <[email protected]>

* fix error handling

Signed-off-by: ruriko <[email protected]>

* update k8s-manifest-sigstore version

Signed-off-by: ruriko <[email protected]>

* enable to verify pgp/x509 signature

Signed-off-by: ruriko <[email protected]>

* update observer to export results to verifyresourcestatus

Signed-off-by: ruriko <[email protected]>

* update go.mod

Signed-off-by: ruriko <[email protected]>

* update go.mod

Signed-off-by: ruriko <[email protected]>

* handle nil observer config

Signed-off-by: ruriko <[email protected]>

* fix lint error

Signed-off-by: ruriko <[email protected]>

* rename inspector to observer and fix observer config

Signed-off-by: ruriko <[email protected]>

* enable constraint config to control enforce/inform mode per constraint (#14)

* fix typo

Signed-off-by: ruriko <[email protected]>

* update to enforce/observe according to constraint config

Signed-off-by: ruriko <[email protected]>

* enable image verification

Signed-off-by: ruriko <[email protected]>

* rename ishield-server to shield and change dir structure

Signed-off-by: ruriko <[email protected]>

* rename dir

Signed-off-by: ruriko <[email protected]>

* organize dir/files

Signed-off-by: ruriko <[email protected]>

* organize dir/files

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Steve Martinelli <[email protected]>
Co-authored-by: Yuji Watanabe <[email protected]>
Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com>
Co-authored-by: ImgBotApp <[email protected]>

* fix go.mod error and update crd version

Signed-off-by: ruriko <[email protected]>

* update apiVersion of IntegrityShield CRD to v1 (#345)

* change IntegrityShield CRD apiVersion to v1

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update Makefile

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* fix default value in CR (#349)

Signed-off-by: ruriko <[email protected]>

* enable to use private rekor server (#350)

Signed-off-by: ruriko <[email protected]>

* enable image verification with a cosign verify-manifest function (#346)

* add image package and implement image profile

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update image verification

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* add sample constraint with image profile

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update image verify codes

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update image verify codes

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* fix small err in cr

Signed-off-by: ruriko <[email protected]>

* enforce/inform mode can be set for each constraint (#351)

* move constraint enforce setting into constraint parameter

Signed-off-by: ruriko <[email protected]>

* update operator-sdk version

Signed-off-by: ruriko <[email protected]>

* changed to appropriate name/parameters (#352)

* rename custom resource for reporting observation results

Signed-off-by: ruriko <[email protected]>

* fix action param name

Signed-off-by: ruriko <[email protected]>

* update bundle

Signed-off-by: ruriko <[email protected]>

* remove 'server' from all parameters

Signed-off-by: ruriko <[email protected]>

* fix value in local cr

Signed-off-by: ruriko <[email protected]>

* change api and observer roles to the minimum privileges (#353)

Signed-off-by: ruriko <[email protected]>

* updated request handler (#354)

* enable inScopeUsers

Signed-off-by: ruriko <[email protected]>

* fix err message

Signed-off-by: ruriko <[email protected]>

* resolve cosign warning message

Signed-off-by: ruriko <[email protected]>

* add e2e test (#355)

* fix crd scope

Signed-off-by: ruriko <[email protected]>

* add e2e-test

Signed-off-by: ruriko <[email protected]>

* remove unneeded files

Signed-off-by: ruriko <[email protected]>

* remove unneeded variable

Signed-off-by: ruriko <[email protected]>

* Unit test/prep move (#356)

* add unit-test

Signed-off-by: ruriko <[email protected]>

* fix Makefile for unit-test

Signed-off-by: ruriko <[email protected]>

* fix image registry name in unit-test

Signed-off-by: ruriko <[email protected]>

* Fixes to make travis build complete successfully

* Fixes to make travis build complete successfully

* update makefile

Signed-off-by: ruriko <[email protected]>

* Fixes to make travis build complete successfully - fixed image push script

* update observer (#358)

* add image verification to observer

Signed-off-by: ruriko <[email protected]>

* add param to change provenance option, update observer result detail for web ui

Signed-off-by: ruriko <[email protected]>

* fix operator

Signed-off-by: ruriko <[email protected]>

* update csv

Signed-off-by: ruriko <[email protected]>

* remove vulnerable pacakge

Signed-off-by: ruriko <[email protected]>

* update operator (#359)

* change to use tmp cr to test with latest image tag

Signed-off-by: ruriko <[email protected]>

* update to use csv version as image tag

Signed-off-by: ruriko <[email protected]>

* fix csv

Signed-off-by: ruriko <[email protected]>

* update operator (#360)

* enable to handle unexpected value in image fields

Signed-off-by: ruriko <[email protected]>

* fix the handling of incorrect image definitions

Signed-off-by: ruriko <[email protected]>

* fix build func for observer deployment

Signed-off-by: ruriko <[email protected]>

* update e2e-test for support remote env

Signed-off-by: ruriko <[email protected]>

* updated not to create psp

Signed-off-by: ruriko <[email protected]>

* fixed implementation error

Signed-off-by: ruriko <[email protected]>

* unify ISHIELD_OP_NS with ISHIELD_NS

Signed-off-by: ruriko <[email protected]>

* fixed implementation error

Signed-off-by: ruriko <[email protected]>

* fix makefile

Signed-off-by: ruriko <[email protected]>

* resolve conflicts

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Tsu Phin Hee <[email protected]>
Co-authored-by: Yuji Watanabe <[email protected]>
Co-authored-by: [email protected] <[email protected]>
Co-authored-by: hirokuni <[email protected]>
Co-authored-by: Gus Parvin <[email protected]>
Co-authored-by: Will Kutler <[email protected]>
Co-authored-by: William Kutler <[email protected]>
Co-authored-by: Steve Martinelli <[email protected]>
Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com>
Co-authored-by: ImgBotApp <[email protected]>
Co-authored-by: OpenShift Merge Robot <[email protected]>
hirokuni-kitahara referenced this pull request in hirokuni-kitahara/integrity-enforcer Oct 1, 2021
@rurikudo @hirokuni-kitahara
@dependabot @stevemar @yuji-watanabe-jp @imgbot @ImgBotApp @openshift-merge-robot
upgrade to version 0.2.5 (IBM#19)
7e9c168 
* remove all camel case filenames (IBM#327)

* Bump ssri from 8.0.0 to 8.0.1 in /docs (IBM#328)

Bumps [ssri](https:/npm/ssri) from 8.0.0 to 8.0.1.
- [Release notes](https:/npm/ssri/releases)
- [Changelog](https:/npm/ssri/blob/latest/CHANGELOG.md)
- [Commits](npm/ssri@v8.0.0...v8.0.1)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Bump lodash from 4.17.19 to 4.17.21 in /docs (IBM#330)

Bumps [lodash](https:/lodash/lodash) from 4.17.19 to 4.17.21.
- [Release notes](https:/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.19...4.17.21)

Signed-off-by: dependabot[bot] <[email protected]>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* support sigstore verification and refactor shield codes for future capability (IBM#331)

* sigstore update

* add sigstore verification & fix dryrun issues

* use remote fulcio.pem for sigstore verification

* fix sigstore test

* update sigstore codes

* fix common profile request pattern type

* fix CRD dryrun codes to support building with the latest grpc codes

* initial commit for inspector

* 1st shot of inspector

* add result CRD for inspector

* temp commit

* add .gitignore to inspector

* temp commit

* split reqcontext into 2 new contexts

* fix resource context

* add checker

* use 2 handlers in webhook instead of calling api

* merge fix/sigstore branch into dev/refactoer

* make verifiers pluggable & create a sample implementation of verifier

* fix some secret values

* fix testcases and add resource handler tests

* fix e2e test

* fix scripts

* fix Makefile

* fix operator config

* remove unused directory

* finalize refactoring

* finalize refactoring

* Feature: Integrated keyless signing and verification mechnism that uses sigstore/cosgin with IShield

* disable inspector and checker codes

* disable inspector and checker codes

* add audit mode for cmd

* Fix/sign yaml (IBM#332)

* Feature: Integrated keyless signing and verification mechnism that uses sigstore/cosgin with IShield

* Feature: Integrated keyless signing and verification mechnism that uses sigstore/cosgin with IShield, added message matching, bundle verification steps,  compress annotations, refactor

* fix cmd/pkg/yamlsign/util.go

* fix bundle annotation mask

* fix sigstore bundle verification

* remove unused constants in audit package

* observer go.mod

* add image verification config to shield config

* remove debug message

* Fix/sign yaml (IBM#333)

* Feature: Integrated keyless signing and verification mechnism that uses sigstore/cosgin with IShield, added message matching, bundle verification steps,  compress annotations, refactor

* merged with dev/refactor

* refactored code for signing and verifying yaml, removed unused code

* Added comments to refer to original code

* Removed license

* fixed fetching signed payload

* Removed license

* Fixed command line help text

* Fixed command line help text

* enable image verification (IBM#334)

* fix image verification result (IBM#335)

* Dev/refactor update (IBM#336)

* resolve conflict

* fix image decision result

* fix image verification condition

* fix logger to enable session trace

* fix check_functions.go functions and test cases

Co-authored-by: [email protected] <[email protected]>
Co-authored-by: Ruriko Kudo <[email protected]>

* Added tests code for signing and verifying YAML (IBM#337)

* Added tests code for signing and verifying YAML

* Added tests code for signing and verifying YAML

* Fix/upgrade 0 2.0 (IBM#338)

* Upgrading to version 2.0.0

* Upgrade bundle to 0.2.0

* removed unnecessary dir/file

Signed-off-by: ruriko <[email protected]>

* removed unnecessary dir/file

Signed-off-by: ruriko <[email protected]>

* Preparing to move to new integrity shield (IBM#344)

* Initial commit

* init commit

* add request handler logic

* update go.mod

* put all func

* added request handler and main functions (#2)

* add remote request handler

* remove unused file

* remove tls.crt from secret.yaml

* change to use new constraints

* remove unused func

* remove unused values

* remove unused values

* rename parameter and package

* update request handler

* add ishield config

* add error handling

* fix mutation check

* refactor main.go/struct

* add allow/inScopeNamespace check

* add config

* fix to use ENV parameter

* fix inScopeNamespace and config name

* change the way of loading shield/reqhandler config

* support apiGroup match

* support label/namespaceSelector match

* change config name

Signed-off-by: ruriko <[email protected]>

* enable opa/gatekeeper admission controller  (IBM#4) (IBM#5)

* enable to use opa/gatekeeper

Signed-off-by: ruriko <[email protected]>

* include shield config in rego policy

Signed-off-by: ruriko <[email protected]>

* update rego policy

Signed-off-by: ruriko <[email protected]>

* update default setting in rego policy

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Ruriko Kudo <[email protected]>

* reorganized code (IBM#6)

* reorganized code

Signed-off-by: ruriko <[email protected]>

* rename module name

* change config name

Signed-off-by: ruriko <[email protected]>

* update README.md

Signed-off-by: ruriko <[email protected]>

* change config name in admission controller

Signed-off-by: ruriko <[email protected]>

* Update Readme (IBM#7)

* update README.md

Signed-off-by: ruriko <[email protected]>

* add an image

Signed-off-by: ruriko <[email protected]>

* fix README.md

Signed-off-by: ruriko <[email protected]>

* fix typo

Signed-off-by: ruriko <[email protected]>

* Update README.md

* Update README.md

* update README and fix config name

Signed-off-by: ruriko <[email protected]>

* update README

Signed-off-by: ruriko <[email protected]>

* update README

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Yuji Watanabe <[email protected]>

* [ImgBot] Optimize images (IBM#8)

/docs/ishield-scenario.png -- 146.35kb -> 104.24kb (28.77%)

Signed-off-by: ImgBotApp <[email protected]>

Co-authored-by: ImgBotApp <[email protected]>

* use latest k8s-manifest-sigstore (IBM#9)

* update to use latest k8s-manifest-sigstore

Signed-off-by: ruriko <[email protected]>

* fix parameters

Signed-off-by: ruriko <[email protected]>

* fix to handle nil request handler config

Signed-off-by: ruriko <[email protected]>

* enable log/mode settings (IBM#10)

* support log config

Signed-off-by: ruriko <[email protected]>

* support detect mode

Signed-off-by: ruriko <[email protected]>

* update rego policy to support detect mode

Signed-off-by: ruriko <[email protected]>

* change to use same log format with k8s-manifest-sigstore

* fix log level in deployment

Signed-off-by: ruriko <[email protected]>

* add K8S_MANIFEST_SIGSTORE_LOG_LEVEL

Signed-off-by: ruriko <[email protected]>

* fix K8S_MANIFEST_SIGSTORE_LOG_LEVEL

Signed-off-by: ruriko <[email protected]>

* fix conflict

Signed-off-by: ruriko <[email protected]>

* enable event/status update (IBM#11)

* enable mip status update

Signed-off-by: ruriko <[email protected]>

* fix mip status update

Signed-off-by: ruriko <[email protected]>

* enable deny event

Signed-off-by: ruriko <[email protected]>

* change violations limit

Signed-off-by: ruriko <[email protected]>

* update rego policy (IBM#12)

Signed-off-by: ruriko <[email protected]>

* Support operator and observer (IBM#13)

* add initial code generated by operator-sdk

Signed-off-by: ruriko <[email protected]>

* add operator

Signed-off-by: ruriko <[email protected]>

* add observer

Signed-off-by: ruriko <[email protected]>

* fix public key loading

Signed-off-by: ruriko <[email protected]>

* update operator to deploy observer

Signed-off-by: ruriko <[email protected]>

* add utility scripts

* fix observer bug

Signed-off-by: ruriko <[email protected]>

* add flag for installing observer

Signed-off-by: ruriko <[email protected]>

* fix observer log and enable to show provenance log

Signed-off-by: ruriko <[email protected]>

* add operator bundle

* update version of k8s-manifest-sigstore

* fix log scripts

Signed-off-by: ruriko <[email protected]>

* fix to delete cluster scope

Signed-off-by: ruriko <[email protected]>

* fix operator to check constraint template crd is available

* update k8s-manifest-sigstore version and update server to generate deny events

Signed-off-by: ruriko <[email protected]>

* fix event and constraint template

Signed-off-by: ruriko <[email protected]>

* fix constraint template

Signed-off-by: ruriko <[email protected]>

* refine server role

Signed-off-by: ruriko <[email protected]>

* fix error handling

Signed-off-by: ruriko <[email protected]>

* update k8s-manifest-sigstore version

Signed-off-by: ruriko <[email protected]>

* enable to verify pgp/x509 signature

Signed-off-by: ruriko <[email protected]>

* update observer to export results to verifyresourcestatus

Signed-off-by: ruriko <[email protected]>

* update go.mod

Signed-off-by: ruriko <[email protected]>

* update go.mod

Signed-off-by: ruriko <[email protected]>

* handle nil observer config

Signed-off-by: ruriko <[email protected]>

* fix lint error

Signed-off-by: ruriko <[email protected]>

* rename inspector to observer and fix observer config

Signed-off-by: ruriko <[email protected]>

* enable constraint config to control enforce/inform mode per constraint (IBM#14)

* fix typo

Signed-off-by: ruriko <[email protected]>

* update to enforce/observe according to constraint config

Signed-off-by: ruriko <[email protected]>

* enable image verification

Signed-off-by: ruriko <[email protected]>

* rename ishield-server to shield and change dir structure

Signed-off-by: ruriko <[email protected]>

* rename dir

Signed-off-by: ruriko <[email protected]>

* organize dir/files

Signed-off-by: ruriko <[email protected]>

* organize dir/files

Signed-off-by: ruriko <[email protected]>

Co-authored-by: Steve Martinelli <[email protected]>
Co-authored-by: Yuji Watanabe <[email protected]>
Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com>
Co-authored-by: ImgBotApp <[email protected]>

* fix go.mod error and update crd version

Signed-off-by: ruriko <[email protected]>

* update apiVersion of IntegrityShield CRD to v1 (IBM#345)

* change IntegrityShield CRD apiVersion to v1

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update Makefile

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* fix default value in CR (IBM#349)

Signed-off-by: ruriko <[email protected]>

* enable to use private rekor server (IBM#350)

Signed-off-by: ruriko <[email protected]>

* enable image verification with a cosign verify-manifest function (IBM#346)

* add image package and implement image profile

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update image verification

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* add sample constraint with image profile

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update image verify codes

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* update image verify codes

Signed-off-by: Hirokuni-Kitahara1 <[email protected]>

* fix small err in cr

Signed-off-by: ruriko <[email protected]>

* enforce/inform mode can be set for each constraint (IBM#351)

* move constraint enforce setting into constraint parameter

Signed-off-by: ruriko <[email protected]>

* update operator-sdk version

Signed-off-by: ruriko <[email protected]>

* changed to appropriate name/parameters (IBM#352)

* rename custom resource for reporting observation results

Signed-off-by: ruriko <[email protected]>

* fix action param name

Signed-off-by: ruriko <[email protected]>

* update bundle

Signed-off-by: ruriko <[email protected]>

* remove 'server' from all parameters

Signed-off-by: ruriko <[email protected]>

* fix value in local cr

Signed-off-by: ruriko <[email protected]>

* change api and observer roles to the minimum privileges (IBM#353)

Signed-off-by: ruriko <[email protected]>

* updated request handler (IBM#354)

* enable inScopeUsers

Signed-off-by: ruriko <[email protected]>

* fix err message

Signed-off-by: ruriko <[email protected]>

* resolve cosign warning message

Signed-off-by: ruriko <[email protected]>

* add e2e test (IBM#355)

* fix crd scope

Signed-off-by: ruriko <[email protected]>

* add e2e-test

Signed-off-by: ruriko <[email protected]>

* remove unneeded files

Signed-off-by: ruriko <[email protected]>

* remove unneeded variable

Signed-off-by: ruriko <[email protected]>

* Unit test/prep move (IBM#356)

* add unit-test

Signed-off-by: ruriko <[email protected]>

* fix Makefile for unit-test

Signed-off-by: ruriko <[email protected]>

* fix image registry name in unit-test

Signed-off-by: ruriko <[email protected]>

* Fixes to make travis build complete successfully

* Fixes to make travis build complete successfully

* update makefile

Signed-off-by: ruriko <[email protected]>

* Fixes to make travis build complete successfully - fixed image push script

* update observer (IBM#358)

* add image verification to observer

Signed-off-by: ruriko <[email protected]>

* add param to change provenance option, update observer result detail for web ui

Signed-off-by: ruriko <[email protected]>

* fix operator

Signed-off-by: ruriko <[email protected]>

* update csv

Signed-off-by: ruriko <[email protected]>

* remove vulnerable pacakge

Signed-off-by: ruriko <[email protected]>

* resolve conflicts

Signed-off-by: ruriko <[email protected]>

* add variable for operator channel

Signed-off-by: ruriko <[email protected]>

* resolve conflicts

Signed-off-by: ruriko <[email protected]>

Co-authored-by: hirokuni-kitahara <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: [email protected] <[email protected]>
Co-authored-by: Steve Martinelli <[email protected]>
Co-authored-by: Yuji Watanabe <[email protected]>
Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com>
Co-authored-by: ImgBotApp <[email protected]>
Co-authored-by: Hiro Kitahara <[email protected]>
Co-authored-by: OpenShift Merge Robot <[email protected]>
hirokuni-kitahara referenced this pull request in hirokuni-kitahara/integrity-enforcer Oct 14, 2021
Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (IBM#33)
01deb59 
* Operator update (#1)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Operator update (#2)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Prepare for Operatorhub.io submission: fixed scripts and odoc

* Prepare for Operatorhub.io submission: fixed script

* Operator update (#3)

* Prepare for Operatorhub.io submission, fixed Makefile,scripts for generating bundle for local olm test, generated new bundle

* Prepare for Operatorhub.io submission: fixed previous version, replaces in CSV

* Prepare for Operatorhub.io submission: changed to operator-sdk version v1.10.1 to deal validation test issue

* Prepare for Operatorhub.io submission: fixed makefile

* Prepare for Operatorhub.io submission: fixed scripts and odoc

* Prepare for Operatorhub.io submission: fixed script

* Prepare for Operatorhub.io submission: fixed docs

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (IBM#4)

* Prepare for Operatorhub.io submission, fixed makefile, scripts

* Integrity Shield Operator Update to 0.3.0 in OperatorHub.io (IBM#5)

* Prepare for Operatorhub.io submission: fixed script
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuji-watanabe-jp yuji-watanabe-jp yuji-watanabe-jp approved these changes

@gajananan gajananan Awaiting requested review from gajananan

Assignees

@hirokuni-kitahara hirokuni-kitahara

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hirokuni-kitahara @yuji-watanabe-jp